int device_consistency_commitment_create(device_consistency_commitment **commitment,
uint32_t generation, ec_public_key_list *identity_key_list,
signal_context *global_context)
{
static const char version[] = "DeviceConsistencyCommitment_V0";
int result = 0;
void *digest_context = 0;
device_consistency_commitment *result_commitment = 0;
ec_public_key_list *sorted_list = 0;
uint8_t gen_data[4];
unsigned int list_size;
unsigned int i;
result_commitment = malloc(sizeof(device_consistency_commitment));
if(!result_commitment) {
result = SG_ERR_NOMEM;
goto complete;
}
memset(result_commitment, 0, sizeof(device_consistency_commitment));
SIGNAL_INIT(result_commitment, device_consistency_commitment_destroy);
sorted_list = ec_public_key_list_copy(identity_key_list);
if(!sorted_list) {
result = SG_ERR_NOMEM;
goto complete;
}
ec_public_key_list_sort(sorted_list);
result = signal_sha512_digest_init(global_context, &digest_context);
if(result < 0) {
goto complete;
}
result = signal_sha512_digest_update(global_context, digest_context,
(uint8_t *)version, sizeof(version) - 1);
if(result < 0) {
goto complete;
}
gen_data[3] = (uint8_t)(generation);
gen_data[2] = (uint8_t)(generation >> 8);
gen_data[1] = (uint8_t)(generation >> 16);
gen_data[0] = (uint8_t)(generation >> 24);
result = signal_sha512_digest_update(global_context, digest_context,
gen_data, sizeof(gen_data));
if(result < 0) {
goto complete;
}
list_size = ec_public_key_list_size(sorted_list);
for(i = 0; i < list_size; i++) {
signal_buffer *key_buffer = 0;
ec_public_key *key = ec_public_key_list_at(sorted_list, i);
result = ec_public_key_serialize(&key_buffer, key);
if(result < 0) {
goto complete;
}
result = signal_sha512_digest_update(global_context, digest_context,
signal_buffer_data(key_buffer), signal_buffer_len(key_buffer));
signal_buffer_free(key_buffer);
if(result < 0) {
goto complete;
}
}
result_commitment->generation = generation;
result = signal_sha512_digest_final(global_context, digest_context, &result_commitment->serialized);
complete:
if(sorted_list) {
ec_public_key_list_free(sorted_list);
}
if(digest_context) {
signal_sha512_digest_cleanup(global_context, digest_context);
}
if(result >= 0) {
*commitment = result_commitment;
}
else {
SIGNAL_UNREF(result_commitment);
}
return result;
}
int device_consistency_message_create_from_pair(device_consistency_message **message,
device_consistency_commitment *commitment,
ec_key_pair *identity_key_pair,
signal_context *global_context)
{
int result = 0;
device_consistency_message *result_message = 0;
signal_buffer *commitment_buffer = 0;
signal_buffer *signature_buffer = 0;
signal_buffer *vrf_output_buffer = 0;
signal_buffer *serialized_signature_buffer = 0;
Textsecure__DeviceConsistencyCodeMessage message_structure = TEXTSECURE__DEVICE_CONSISTENCY_CODE_MESSAGE__INIT;
size_t len = 0;
uint8_t *data = 0;
size_t result_size = 0;
/* Create message instance */
result = device_consistency_message_create(&result_message);
if(result < 0) {
goto complete;
}
/* Calculate VRF signature */
commitment_buffer = device_consistency_commitment_get_serialized(commitment);
result = curve_calculate_vrf_signature(global_context, &signature_buffer,
ec_key_pair_get_private(identity_key_pair),
signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer));
if(result < 0) {
goto complete;
}
/* Verify VRF signature */
result = curve_verify_vrf_signature(global_context, &vrf_output_buffer,
ec_key_pair_get_public(identity_key_pair),
signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer),
signal_buffer_data(signature_buffer), signal_buffer_len(signature_buffer));
if(result < 0) {
goto complete;
}
result_message->generation = device_consistency_commitment_get_generation(commitment);
/* Create and assign the signature */
result = device_consistency_signature_create(&result_message->signature,
signal_buffer_data(signature_buffer), signal_buffer_len(signature_buffer),
signal_buffer_data(vrf_output_buffer), signal_buffer_len(vrf_output_buffer));
if(result < 0) {
goto complete;
}
serialized_signature_buffer = device_consistency_signature_get_signature(result_message->signature);
/* Serialize the message */
message_structure.generation = device_consistency_commitment_get_generation(commitment);
message_structure.has_generation = 1;
message_structure.signature.data = signal_buffer_data(serialized_signature_buffer);
message_structure.signature.len = signal_buffer_len(serialized_signature_buffer);
message_structure.has_signature = 1;
len = textsecure__device_consistency_code_message__get_packed_size(&message_structure);
result_message->serialized = signal_buffer_alloc(len);
if(!result_message->serialized) {
result = SG_ERR_NOMEM;
goto complete;
}
data = signal_buffer_data(result_message->serialized);
result_size = textsecure__device_consistency_code_message__pack(&message_structure, data);
if(result_size != len) {
result = SG_ERR_INVALID_PROTO_BUF;
goto complete;
}
complete:
signal_buffer_free(signature_buffer);
signal_buffer_free(vrf_output_buffer);
if(result >= 0) {
*message = result_message;
}
else {
SIGNAL_UNREF(result_message);
}
if(result == SG_ERR_INVALID_KEY || result == SG_ERR_VRF_SIG_VERIF_FAILED) {
result = SG_ERR_UNKNOWN;
}
return result;
}
END_TEST
START_TEST(test_curve25519_signature)
{
int result;
uint8_t aliceIdentityPrivate[] = {
0xc0, 0x97, 0x24, 0x84, 0x12, 0xe5, 0x8b, 0xf0,
0x5d, 0xf4, 0x87, 0x96, 0x82, 0x05, 0x13, 0x27,
0x94, 0x17, 0x8e, 0x36, 0x76, 0x37, 0xf5, 0x81,
0x8f, 0x81, 0xe0, 0xe6, 0xce, 0x73, 0xe8, 0x65};
uint8_t aliceIdentityPublic[] = {
0x05, 0xab, 0x7e, 0x71, 0x7d, 0x4a, 0x16, 0x3b,
0x7d, 0x9a, 0x1d, 0x80, 0x71, 0xdf, 0xe9, 0xdc,
0xf8, 0xcd, 0xcd, 0x1c, 0xea, 0x33, 0x39, 0xb6,
0x35, 0x6b, 0xe8, 0x4d, 0x88, 0x7e, 0x32, 0x2c,
0x64};
uint8_t aliceEphemeralPublic[] = {
0x05, 0xed, 0xce, 0x9d, 0x9c, 0x41, 0x5c, 0xa7,
0x8c, 0xb7, 0x25, 0x2e, 0x72, 0xc2, 0xc4, 0xa5,
0x54, 0xd3, 0xeb, 0x29, 0x48, 0x5a, 0x0e, 0x1d,
0x50, 0x31, 0x18, 0xd1, 0xa8, 0x2d, 0x99, 0xfb,
0x4a};
uint8_t aliceSignature[] = {
0x5d, 0xe8, 0x8c, 0xa9, 0xa8, 0x9b, 0x4a, 0x11,
0x5d, 0xa7, 0x91, 0x09, 0xc6, 0x7c, 0x9c, 0x74,
0x64, 0xa3, 0xe4, 0x18, 0x02, 0x74, 0xf1, 0xcb,
0x8c, 0x63, 0xc2, 0x98, 0x4e, 0x28, 0x6d, 0xfb,
0xed, 0xe8, 0x2d, 0xeb, 0x9d, 0xcd, 0x9f, 0xae,
0x0b, 0xfb, 0xb8, 0x21, 0x56, 0x9b, 0x3d, 0x90,
0x01, 0xbd, 0x81, 0x30, 0xcd, 0x11, 0xd4, 0x86,
0xce, 0xf0, 0x47, 0xbd, 0x60, 0xb8, 0x6e, 0x88};
ec_private_key *alice_private_key = 0;
ec_public_key *alice_public_key = 0;
ec_public_key *alice_ephemeral = 0;
/* Initialize Alice's private key */
result = curve_decode_private_point(&alice_private_key, aliceIdentityPrivate, sizeof(aliceIdentityPrivate), global_context);
ck_assert_int_eq(result, 0);
ck_assert_ptr_ne(alice_private_key, 0);
/* Initialize Alice's public key */
result = curve_decode_point(&alice_public_key, aliceIdentityPublic, sizeof(aliceIdentityPublic), global_context);
ck_assert_int_eq(result, 0);
ck_assert_ptr_ne(alice_public_key, 0);
/* Initialize Alice's ephemeral key */
result = curve_decode_point(&alice_ephemeral, aliceEphemeralPublic, sizeof(aliceEphemeralPublic), global_context);
ck_assert_int_eq(result, 0);
ck_assert_ptr_ne(alice_ephemeral, 0);
result = curve_verify_signature(alice_public_key,
aliceEphemeralPublic, sizeof(aliceEphemeralPublic),
aliceSignature, sizeof(aliceSignature));
ck_assert_msg(result == 1, "signature verification failed");
uint8_t modifiedSignature[sizeof(aliceSignature)];
int i;
for(i = 0; i < sizeof(aliceSignature); i++) {
memcpy(modifiedSignature, aliceSignature, sizeof(aliceSignature));
modifiedSignature[i] ^= 0x01;
result = curve_verify_signature(alice_public_key,
aliceEphemeralPublic, sizeof(aliceEphemeralPublic),
modifiedSignature, sizeof(modifiedSignature));
ck_assert_msg(result != 1, "signature verification succeeded");
}
/* Cleanup */
SIGNAL_UNREF(alice_private_key);
SIGNAL_UNREF(alice_public_key);
SIGNAL_UNREF(alice_ephemeral);
}
int scannable_fingerprint_deserialize(scannable_fingerprint **scannable, const uint8_t *data, size_t len, signal_context *global_context)
{
int result = 0;
Textsecure__CombinedFingerprint *combined_fingerprint = 0;
uint32_t version = 0;
char *local_stable_identifier = 0;
ec_public_key *local_identity_key = 0;
char *remote_stable_identifier = 0;
ec_public_key *remote_identity_key = 0;
combined_fingerprint = textsecure__combined_fingerprint__unpack(0, len, data);
if(!combined_fingerprint) {
result = SG_ERR_INVALID_PROTO_BUF;
goto complete;
}
if(combined_fingerprint->has_version) {
version = combined_fingerprint->version;
}
if(combined_fingerprint->localfingerprint) {
if(combined_fingerprint->localfingerprint->has_identifier) {
local_stable_identifier = signal_protocol_str_deserialize_protobuf(&combined_fingerprint->localfingerprint->identifier);
if(!local_stable_identifier) {
result = SG_ERR_NOMEM;
goto complete;
}
}
if(combined_fingerprint->localfingerprint->has_publickey) {
result = curve_decode_point(&local_identity_key,
combined_fingerprint->localfingerprint->publickey.data,
combined_fingerprint->localfingerprint->publickey.len,
global_context);
if(result < 0) {
goto complete;
}
}
}
if(combined_fingerprint->remotefingerprint) {
if(combined_fingerprint->remotefingerprint->has_identifier) {
remote_stable_identifier = signal_protocol_str_deserialize_protobuf(&combined_fingerprint->remotefingerprint->identifier);
if(!remote_stable_identifier) {
result = SG_ERR_NOMEM;
goto complete;
}
}
if(combined_fingerprint->remotefingerprint->has_publickey) {
result = curve_decode_point(&remote_identity_key,
combined_fingerprint->remotefingerprint->publickey.data,
combined_fingerprint->remotefingerprint->publickey.len,
global_context);
if(result < 0) {
goto complete;
}
}
}
result = scannable_fingerprint_create(scannable, version,
local_stable_identifier, local_identity_key,
remote_stable_identifier, remote_identity_key);
complete:
if(combined_fingerprint) {
textsecure__combined_fingerprint__free_unpacked(combined_fingerprint, 0);
}
if(local_stable_identifier) {
free(local_stable_identifier);
}
if(local_identity_key) {
SIGNAL_UNREF(local_identity_key);
}
if(remote_stable_identifier) {
free(remote_stable_identifier);
}
if(remote_identity_key) {
SIGNAL_UNREF(remote_identity_key);
}
return result;
}
int ratcheting_session_alice_initialize(
session_state *state,
alice_signal_protocol_parameters *parameters,
signal_context *global_context)
{
int result = 0;
uint8_t *agreement = 0;
int agreement_len = 0;
ec_key_pair *sending_ratchet_key = 0;
ratchet_root_key *derived_root = 0;
ratchet_chain_key *derived_chain = 0;
ratchet_root_key *sending_chain_root = 0;
ratchet_chain_key *sending_chain_key = 0;
struct vpool vp;
uint8_t *secret = 0;
size_t secret_len = 0;
uint8_t discontinuity_data[32];
assert(state);
assert(parameters);
assert(global_context);
vpool_init(&vp, 1024, 0);
result = curve_generate_key_pair(global_context, &sending_ratchet_key);
if(result < 0) {
goto complete;
}
memset(discontinuity_data, 0xFF, sizeof(discontinuity_data));
if(!vpool_insert(&vp, vpool_get_length(&vp), discontinuity_data, sizeof(discontinuity_data))) {
result = SG_ERR_NOMEM;
goto complete;
}
agreement_len = curve_calculate_agreement(&agreement,
parameters->their_signed_pre_key, parameters->our_identity_key->private_key);
if(agreement_len < 0) {
result = agreement_len;
goto complete;
}
if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) {
free(agreement); agreement = 0; agreement_len = 0;
}
else {
result = SG_ERR_NOMEM;
goto complete;
}
agreement_len = curve_calculate_agreement(&agreement,
parameters->their_identity_key, ec_key_pair_get_private(parameters->our_base_key));
if(agreement_len < 0) {
result = agreement_len;
goto complete;
}
if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) {
free(agreement); agreement = 0; agreement_len = 0;
}
else {
result = SG_ERR_NOMEM;
goto complete;
}
agreement_len = curve_calculate_agreement(&agreement,
parameters->their_signed_pre_key, ec_key_pair_get_private(parameters->our_base_key));
if(agreement_len < 0) {
result = agreement_len;
goto complete;
}
if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) {
free(agreement); agreement = 0; agreement_len = 0;
}
else {
result = SG_ERR_NOMEM;
goto complete;
}
if(parameters->their_one_time_pre_key) {
agreement_len = curve_calculate_agreement(&agreement,
parameters->their_one_time_pre_key, ec_key_pair_get_private(parameters->our_base_key));
if(agreement_len < 0) {
result = agreement_len;
goto complete;
}
if(vpool_insert(&vp, vpool_get_length(&vp), agreement, (size_t)agreement_len)) {
free(agreement); agreement = 0; agreement_len = 0;
}
else {
result = SG_ERR_NOMEM;
goto complete;
}
}
if(vpool_is_empty(&vp)) {
result = SG_ERR_UNKNOWN;
goto complete;
}
secret = vpool_get_buf(&vp);
secret_len = vpool_get_length(&vp);
result = ratcheting_session_calculate_derived_keys(&derived_root, &derived_chain, secret, secret_len, global_context);
if(result < 0) {
goto complete;
}
result = ratchet_root_key_create_chain(derived_root,
&sending_chain_root, &sending_chain_key,
parameters->their_ratchet_key,
ec_key_pair_get_private(sending_ratchet_key));
if(result < 0) {
goto complete;
}
complete:
if(result >= 0) {
session_state_set_session_version(state, CIPHERTEXT_CURRENT_VERSION);
session_state_set_remote_identity_key(state, parameters->their_identity_key);
session_state_set_local_identity_key(state, parameters->our_identity_key->public_key);
session_state_add_receiver_chain(state, parameters->their_ratchet_key, derived_chain);
session_state_set_sender_chain(state, sending_ratchet_key, sending_chain_key);
session_state_set_root_key(state, sending_chain_root);
}
vpool_final(&vp);
if(agreement) {
free(agreement);
}
if(sending_ratchet_key) {
SIGNAL_UNREF(sending_ratchet_key);
}
if(derived_root) {
SIGNAL_UNREF(derived_root);
}
if(derived_chain) {
SIGNAL_UNREF(derived_chain);
}
if(sending_chain_root) {
SIGNAL_UNREF(sending_chain_root);
}
if(sending_chain_key) {
SIGNAL_UNREF(sending_chain_key);
}
return result;
}
END_TEST
START_TEST(test_curve25519_random_agreements)
{
int result;
int i;
ec_key_pair *alice_key_pair = 0;
ec_public_key *alice_public_key = 0;
ec_private_key *alice_private_key = 0;
ec_key_pair *bob_key_pair = 0;
ec_public_key *bob_public_key = 0;
ec_private_key *bob_private_key = 0;
uint8_t *shared_alice = 0;
uint8_t *shared_bob = 0;
signal_context *context;
signal_context_create(&context, 0);
setup_test_crypto_provider(context);
for(i = 0; i < 50; i++) {
/* Generate Alice's key pair */
result = curve_generate_key_pair(context, &alice_key_pair);
ck_assert_int_eq(result, 0);
alice_public_key = ec_key_pair_get_public(alice_key_pair);
alice_private_key = ec_key_pair_get_private(alice_key_pair);
ck_assert_ptr_ne(alice_public_key, 0);
ck_assert_ptr_ne(alice_private_key, 0);
/* Generate Bob's key pair */
result = curve_generate_key_pair(context, &bob_key_pair);
ck_assert_int_eq(result, 0);
bob_public_key = ec_key_pair_get_public(bob_key_pair);
bob_private_key = ec_key_pair_get_private(bob_key_pair);
ck_assert_ptr_ne(bob_public_key, 0);
ck_assert_ptr_ne(bob_private_key, 0);
/* Calculate Alice's key agreement */
result = curve_calculate_agreement(&shared_alice, bob_public_key, alice_private_key);
ck_assert_int_eq(result, 32);
ck_assert_ptr_ne(shared_alice, 0);
/* Calculate Bob's key agreement */
result = curve_calculate_agreement(&shared_bob, alice_public_key, bob_private_key);
ck_assert_int_eq(result, 32);
ck_assert_ptr_ne(shared_bob, 0);
/* Assert that key agreements match */
ck_assert_int_eq(memcmp(shared_alice, shared_bob, 32), 0);
/* Cleanup */
if(shared_alice) { free(shared_alice); }
if(shared_bob) { free(shared_bob); }
SIGNAL_UNREF(alice_key_pair);
SIGNAL_UNREF(bob_key_pair);
alice_key_pair = 0;
bob_key_pair = 0;
alice_public_key = 0;
alice_private_key = 0;
bob_public_key = 0;
bob_private_key = 0;
shared_alice = 0;
shared_bob = 0;
}
signal_context_destroy(context);
}
int ratchet_root_key_create_chain(ratchet_root_key *root_key,
ratchet_root_key **new_root_key, ratchet_chain_key **new_chain_key,
ec_public_key *their_ratchet_key,
ec_private_key *our_ratchet_key_private)
{
static const char key_info[] = "WhisperRatchet";
int result = 0;
ssize_t result_size = 0;
uint8_t *shared_secret = 0;
size_t shared_secret_len = 0;
uint8_t *derived_secret = 0;
ratchet_root_key *new_root_key_result = 0;
ratchet_chain_key *new_chain_key_result = 0;
if(!their_ratchet_key || !our_ratchet_key_private) {
return SG_ERR_INVAL;
}
result = curve_calculate_agreement(&shared_secret, their_ratchet_key, our_ratchet_key_private);
if(result < 0) {
signal_log(root_key->global_context, SG_LOG_WARNING, "curve_calculate_agreement failed");
goto complete;
}
shared_secret_len = (size_t)result;
result_size = hkdf_derive_secrets(root_key->kdf, &derived_secret,
shared_secret, shared_secret_len,
root_key->key, root_key->key_len,
(uint8_t *)key_info, sizeof(key_info) - 1,
DERIVED_ROOT_SECRETS_SIZE);
if(result_size < 0) {
result = (int)result_size;
signal_log(root_key->global_context, SG_LOG_WARNING, "hkdf_derive_secrets failed");
goto complete;
}
else if(result_size != DERIVED_ROOT_SECRETS_SIZE) {
result = SG_ERR_UNKNOWN;
signal_log(root_key->global_context, SG_LOG_WARNING, "hkdf_derive_secrets size mismatch");
goto complete;
}
result = ratchet_root_key_create(&new_root_key_result, root_key->kdf,
derived_secret, 32,
root_key->global_context);
if(result < 0) {
signal_log(root_key->global_context, SG_LOG_WARNING, "ratchet_root_key_create failed");
goto complete;
}
result = ratchet_chain_key_create(&new_chain_key_result, root_key->kdf,
derived_secret + 32, 32, 0,
root_key->global_context);
if(result < 0) {
signal_log(root_key->global_context, SG_LOG_WARNING, "ratchet_chain_key_create failed");
goto complete;
}
complete:
if(shared_secret) {
free(shared_secret);
}
if(derived_secret) {
free(derived_secret);
}
if(result < 0) {
if(new_root_key_result) {
SIGNAL_UNREF(new_root_key_result);
}
if(new_chain_key_result) {
SIGNAL_UNREF(new_chain_key_result);
}
return result;
}
else {
*new_root_key = new_root_key_result;
*new_chain_key = new_chain_key_result;
return 0;
}
}
static int session_cipher_decrypt_from_record_and_signal_message(session_cipher *cipher,
session_record *record, signal_message *ciphertext, signal_buffer **plaintext)
{
int result = 0;
signal_buffer *result_buf = 0;
session_state *state = 0;
session_state *state_copy = 0;
session_record_state_node *previous_states_node = 0;
assert(cipher);
signal_lock(cipher->global_context);
state = session_record_get_state(record);
if(state) {
result = session_state_copy(&state_copy, state, cipher->global_context);
if(result < 0) {
goto complete;
}
//TODO Collect and log invalid message errors if totally unsuccessful
result = session_cipher_decrypt_from_state_and_signal_message(cipher, state_copy, ciphertext, &result_buf);
if(result < 0 && result != SG_ERR_INVALID_MESSAGE) {
goto complete;
}
if(result >= SG_SUCCESS) {
session_record_set_state(record, state_copy);
goto complete;
}
SIGNAL_UNREF(state_copy);
}
previous_states_node = session_record_get_previous_states_head(record);
while(previous_states_node) {
state = session_record_get_previous_states_element(previous_states_node);
result = session_state_copy(&state_copy, state, cipher->global_context);
if(result < 0) {
goto complete;
}
result = session_cipher_decrypt_from_state_and_signal_message(cipher, state_copy, ciphertext, &result_buf);
if(result < 0 && result != SG_ERR_INVALID_MESSAGE) {
goto complete;
}
if(result >= SG_SUCCESS) {
session_record_get_previous_states_remove(record, previous_states_node);
result = session_record_promote_state(record, state_copy);
goto complete;
}
SIGNAL_UNREF(state_copy);
previous_states_node = session_record_get_previous_states_next(previous_states_node);
}
signal_log(cipher->global_context, SG_LOG_WARNING, "No valid sessions");
result = SG_ERR_INVALID_MESSAGE;
complete:
SIGNAL_UNREF(state_copy);
if(result >= 0) {
*plaintext = result_buf;
}
else {
signal_buffer_free(result_buf);
}
signal_unlock(cipher->global_context);
return result;
}
int session_cipher_encrypt(session_cipher *cipher,
const uint8_t *padded_message, size_t padded_message_len,
ciphertext_message **encrypted_message)
{
int result = 0;
session_record *record = 0;
session_state *state = 0;
ratchet_chain_key *chain_key = 0;
ratchet_chain_key *next_chain_key = 0;
ratchet_message_keys message_keys;
ec_public_key *sender_ephemeral = 0;
uint32_t previous_counter = 0;
uint32_t session_version = 0;
signal_buffer *ciphertext = 0;
uint32_t chain_key_index = 0;
ec_public_key *local_identity_key = 0;
ec_public_key *remote_identity_key = 0;
signal_message *message = 0;
pre_key_signal_message *pre_key_message = 0;
uint8_t *ciphertext_data = 0;
size_t ciphertext_len = 0;
assert(cipher);
signal_lock(cipher->global_context);
if(cipher->inside_callback == 1) {
result = SG_ERR_INVAL;
goto complete;
}
result = signal_protocol_session_load_session(cipher->store, &record, cipher->remote_address);
if(result < 0) {
goto complete;
}
state = session_record_get_state(record);
if(!state) {
result = SG_ERR_UNKNOWN;
goto complete;
}
chain_key = session_state_get_sender_chain_key(state);
if(!chain_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
result = ratchet_chain_key_get_message_keys(chain_key, &message_keys);
if(result < 0) {
goto complete;
}
sender_ephemeral = session_state_get_sender_ratchet_key(state);
if(!sender_ephemeral) {
result = SG_ERR_UNKNOWN;
goto complete;
}
previous_counter = session_state_get_previous_counter(state);
session_version = session_state_get_session_version(state);
result = session_cipher_get_ciphertext(cipher,
&ciphertext,
session_version, &message_keys,
padded_message, padded_message_len);
if(result < 0) {
goto complete;
}
ciphertext_data = signal_buffer_data(ciphertext);
ciphertext_len = signal_buffer_len(ciphertext);
chain_key_index = ratchet_chain_key_get_index(chain_key);
local_identity_key = session_state_get_local_identity_key(state);
if(!local_identity_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
remote_identity_key = session_state_get_remote_identity_key(state);
if(!remote_identity_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
result = signal_message_create(&message,
session_version,
message_keys.mac_key, sizeof(message_keys.mac_key),
sender_ephemeral,
chain_key_index, previous_counter,
ciphertext_data, ciphertext_len,
local_identity_key, remote_identity_key,
cipher->global_context);
if(result < 0) {
goto complete;
}
if(session_state_has_unacknowledged_pre_key_message(state) == 1) {
uint32_t local_registration_id = session_state_get_local_registration_id(state);
int has_pre_key_id = 0;
uint32_t pre_key_id = 0;
uint32_t signed_pre_key_id;
ec_public_key *base_key;
if(session_state_unacknowledged_pre_key_message_has_pre_key_id(state)) {
has_pre_key_id = 1;
pre_key_id = session_state_unacknowledged_pre_key_message_get_pre_key_id(state);
}
signed_pre_key_id = session_state_unacknowledged_pre_key_message_get_signed_pre_key_id(state);
base_key = session_state_unacknowledged_pre_key_message_get_base_key(state);
if(!base_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
result = pre_key_signal_message_create(&pre_key_message,
session_version, local_registration_id, (has_pre_key_id ? &pre_key_id : 0),
signed_pre_key_id, base_key, local_identity_key,
message,
cipher->global_context);
if(result < 0) {
goto complete;
}
SIGNAL_UNREF(message);
message = 0;
}
result = ratchet_chain_key_create_next(chain_key, &next_chain_key);
if(result < 0) {
goto complete;
}
result = session_state_set_sender_chain_key(state, next_chain_key);
if(result < 0) {
goto complete;
}
result = signal_protocol_session_store_session(cipher->store, cipher->remote_address, record);
complete:
if(result >= 0) {
if(pre_key_message) {
*encrypted_message = (ciphertext_message *)pre_key_message;
}
else {
*encrypted_message = (ciphertext_message *)message;
}
}
else {
SIGNAL_UNREF(pre_key_message);
SIGNAL_UNREF(message);
}
signal_buffer_free(ciphertext);
SIGNAL_UNREF(next_chain_key);
SIGNAL_UNREF(record);
signal_explicit_bzero(&message_keys, sizeof(ratchet_message_keys));
signal_unlock(cipher->global_context);
return result;
}
END_TEST
START_TEST(test_serialize_pre_key_signal_message)
{
int result = 0;
static const char ciphertext[] = "WhisperCipherText";
ec_public_key *sender_ratchet_key = create_test_ec_public_key(global_context);
ec_public_key *sender_identity_key = create_test_ec_public_key(global_context);
ec_public_key *receiver_identity_key = create_test_ec_public_key(global_context);
ec_public_key *base_key = create_test_ec_public_key(global_context);
ec_public_key *identity_key = create_test_ec_public_key(global_context);
uint8_t mac_key[RATCHET_MAC_KEY_LENGTH];
memset(mac_key, 1, sizeof(mac_key));
signal_message *message = 0;
pre_key_signal_message *pre_key_message = 0;
pre_key_signal_message *result_pre_key_message = 0;
result = signal_message_create(&message, 3,
mac_key, sizeof(mac_key),
sender_ratchet_key,
2, /* counter */
1, /* previous counter */
(uint8_t *)ciphertext, sizeof(ciphertext) - 1,
sender_identity_key, receiver_identity_key,
global_context);
ck_assert_int_eq(result, 0);
uint32_t pre_key_id = 56;
result = pre_key_signal_message_create(&pre_key_message,
3, /* message version */
42, /* registration ID */
&pre_key_id, /* pre key ID */
72, /* signed pre key ID */
base_key, identity_key,
message,
global_context);
ck_assert_int_eq(result, 0);
signal_buffer *serialized = ciphertext_message_get_serialized((ciphertext_message *)pre_key_message);
ck_assert_ptr_ne(serialized, 0);
result = pre_key_signal_message_deserialize(&result_pre_key_message,
signal_buffer_data(serialized),
signal_buffer_len(serialized),
global_context);
ck_assert_int_eq(result, 0);
int version1 = pre_key_signal_message_get_message_version(pre_key_message);
int version2 = pre_key_signal_message_get_message_version(result_pre_key_message);
ck_assert_int_eq(version1, version2);
ec_public_key *identity_key1 = pre_key_signal_message_get_identity_key(pre_key_message);
ec_public_key *identity_key2 = pre_key_signal_message_get_identity_key(result_pre_key_message);
ck_assert_int_eq(ec_public_key_compare(identity_key1, identity_key2), 0);
int registration_id1 = pre_key_signal_message_get_registration_id(pre_key_message);
int registration_id2 = pre_key_signal_message_get_registration_id(result_pre_key_message);
ck_assert_int_eq(registration_id1, registration_id2);
int has_pre_key_id1 = pre_key_signal_message_has_pre_key_id(pre_key_message);
int has_pre_key_id2 = pre_key_signal_message_has_pre_key_id(result_pre_key_message);
ck_assert_int_eq(has_pre_key_id1, has_pre_key_id2);
if(has_pre_key_id1) {
int pre_key_id1 = pre_key_signal_message_get_pre_key_id(pre_key_message);
int pre_key_id2 = pre_key_signal_message_get_pre_key_id(result_pre_key_message);
ck_assert_int_eq(pre_key_id1, pre_key_id2);
}
int signed_pre_key_id1 = pre_key_signal_message_get_signed_pre_key_id(pre_key_message);
int signed_pre_key_id2 = pre_key_signal_message_get_signed_pre_key_id(result_pre_key_message);
ck_assert_int_eq(signed_pre_key_id1, signed_pre_key_id2);
ec_public_key *base_key1 = pre_key_signal_message_get_base_key(pre_key_message);
ec_public_key *base_key2 = pre_key_signal_message_get_base_key(result_pre_key_message);
ck_assert_int_eq(ec_public_key_compare(base_key1, base_key2), 0);
signal_message *message1 = pre_key_signal_message_get_signal_message(pre_key_message);
signal_message *message2 = pre_key_signal_message_get_signal_message(result_pre_key_message);
compare_signal_messages(message1, message2);
/* Cleanup */
SIGNAL_UNREF(message);
SIGNAL_UNREF(result_pre_key_message);
SIGNAL_UNREF(pre_key_message);
SIGNAL_UNREF(sender_ratchet_key);
SIGNAL_UNREF(sender_identity_key);
SIGNAL_UNREF(receiver_identity_key);
SIGNAL_UNREF(base_key);
SIGNAL_UNREF(identity_key);
}
static int session_cipher_get_or_create_message_keys(ratchet_message_keys *message_keys,
session_state *state, ec_public_key *their_ephemeral,
ratchet_chain_key *chain_key, uint32_t counter, signal_context *global_context)
{
int result = 0;
ratchet_chain_key *cur_chain_key = 0;
ratchet_chain_key *next_chain_key = 0;
ratchet_message_keys message_keys_result;
if(ratchet_chain_key_get_index(chain_key) > counter) {
result = session_state_remove_message_keys(state, &message_keys_result, their_ephemeral, counter);
if(result == 1) {
result = 0;
goto complete;
}
signal_log(global_context, SG_LOG_WARNING, "Received message with old counter: %d, %d",
ratchet_chain_key_get_index(chain_key), counter);
result = SG_ERR_DUPLICATE_MESSAGE;
goto complete;
}
if(counter - ratchet_chain_key_get_index(chain_key) > 2000) {
signal_log(global_context, SG_LOG_WARNING, "Over 2000 messages into the future!");
result = SG_ERR_INVALID_MESSAGE;
goto complete;
}
cur_chain_key = chain_key;
SIGNAL_REF(cur_chain_key);
while(ratchet_chain_key_get_index(cur_chain_key) < counter) {
result = ratchet_chain_key_get_message_keys(cur_chain_key, &message_keys_result);
if(result < 0) {
goto complete;
}
result = session_state_set_message_keys(state, their_ephemeral, &message_keys_result);
if(result < 0) {
goto complete;
}
result = ratchet_chain_key_create_next(cur_chain_key, &next_chain_key);
if(result < 0) {
goto complete;
}
SIGNAL_UNREF(cur_chain_key);
cur_chain_key = next_chain_key;
next_chain_key = 0;
}
result = ratchet_chain_key_create_next(cur_chain_key, &next_chain_key);
if(result < 0) {
goto complete;
}
result = session_state_set_receiver_chain_key(state, their_ephemeral, next_chain_key);
if(result < 0) {
goto complete;
}
result = ratchet_chain_key_get_message_keys(cur_chain_key, &message_keys_result);
if(result < 0) {
goto complete;
}
complete:
if(result >= 0) {
memcpy(message_keys, &message_keys_result, sizeof(ratchet_message_keys));
}
SIGNAL_UNREF(cur_chain_key);
SIGNAL_UNREF(next_chain_key);
signal_explicit_bzero(&message_keys_result, sizeof(ratchet_message_keys));
return result;
}
static int session_cipher_get_or_create_chain_key(session_cipher *cipher,
ratchet_chain_key **chain_key,
session_state *state, ec_public_key *their_ephemeral)
{
int result = 0;
ratchet_chain_key *result_key = 0;
ratchet_root_key *receiver_root_key = 0;
ratchet_chain_key *receiver_chain_key = 0;
ratchet_root_key *sender_root_key = 0;
ratchet_chain_key *sender_chain_key = 0;
ec_key_pair *our_new_ephemeral = 0;
ratchet_root_key *root_key = 0;
ec_key_pair *our_ephemeral = 0;
ratchet_chain_key *previous_sender_chain_key = 0;
uint32_t index = 0;
result_key = session_state_get_receiver_chain_key(state, their_ephemeral);
if(result_key) {
SIGNAL_REF(result_key);
goto complete;
}
root_key = session_state_get_root_key(state);
if(!root_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
our_ephemeral = session_state_get_sender_ratchet_key_pair(state);
if(!our_ephemeral) {
result = SG_ERR_UNKNOWN;
goto complete;
}
result = ratchet_root_key_create_chain(root_key,
&receiver_root_key, &receiver_chain_key,
their_ephemeral, ec_key_pair_get_private(our_ephemeral));
if(result < 0) {
goto complete;
}
result = curve_generate_key_pair(cipher->global_context, &our_new_ephemeral);
if(result < 0) {
goto complete;
}
result = ratchet_root_key_create_chain(receiver_root_key,
&sender_root_key, &sender_chain_key,
their_ephemeral, ec_key_pair_get_private(our_new_ephemeral));
if(result < 0) {
goto complete;
}
session_state_set_root_key(state, sender_root_key);
result = session_state_add_receiver_chain(state, their_ephemeral, receiver_chain_key);
if(result < 0) {
goto complete;
}
previous_sender_chain_key = session_state_get_sender_chain_key(state);
if(!previous_sender_chain_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
index = ratchet_chain_key_get_index(previous_sender_chain_key);
if(index > 0) { --index; }
session_state_set_previous_counter(state, index);
session_state_set_sender_chain(state, our_new_ephemeral, sender_chain_key);
result_key = receiver_chain_key;
SIGNAL_REF(result_key);
complete:
SIGNAL_UNREF(receiver_root_key);
SIGNAL_UNREF(receiver_chain_key);
SIGNAL_UNREF(sender_root_key);
SIGNAL_UNREF(sender_chain_key);
SIGNAL_UNREF(our_new_ephemeral);
if(result >= 0) {
*chain_key = result_key;
}
else {
SIGNAL_UNREF(result_key);
}
return result;
}
static int session_cipher_decrypt_from_state_and_signal_message(session_cipher *cipher,
session_state *state, signal_message *ciphertext, signal_buffer **plaintext)
{
int result = 0;
signal_buffer *result_buf = 0;
ec_public_key *their_ephemeral = 0;
uint32_t counter = 0;
ratchet_chain_key *chain_key = 0;
ratchet_message_keys message_keys;
uint8_t message_version = 0;
uint32_t session_version = 0;
ec_public_key *remote_identity_key = 0;
ec_public_key *local_identity_key = 0;
signal_buffer *ciphertext_body = 0;
if(!session_state_has_sender_chain(state)) {
signal_log(cipher->global_context, SG_LOG_WARNING, "Uninitialized session!");
result = SG_ERR_INVALID_MESSAGE;
goto complete;
}
message_version = signal_message_get_message_version(ciphertext);
session_version = session_state_get_session_version(state);
if(message_version != session_version) {
signal_log(cipher->global_context, SG_LOG_WARNING, "Message version %d, but session version %d", message_version, session_version);
result = SG_ERR_INVALID_MESSAGE;
goto complete;
}
their_ephemeral = signal_message_get_sender_ratchet_key(ciphertext);
if(!their_ephemeral) {
result = SG_ERR_UNKNOWN;
goto complete;
}
counter = signal_message_get_counter(ciphertext);
result = session_cipher_get_or_create_chain_key(cipher, &chain_key, state, their_ephemeral);
if(result < 0) {
goto complete;
}
result = session_cipher_get_or_create_message_keys(&message_keys, state,
their_ephemeral, chain_key, counter, cipher->global_context);
if(result < 0) {
goto complete;
}
remote_identity_key = session_state_get_remote_identity_key(state);
if(!remote_identity_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
local_identity_key = session_state_get_local_identity_key(state);
if(!local_identity_key) {
result = SG_ERR_UNKNOWN;
goto complete;
}
result = signal_message_verify_mac(ciphertext, message_version,
remote_identity_key, local_identity_key,
message_keys.mac_key, sizeof(message_keys.mac_key),
cipher->global_context);
if(result != 1) {
if(result == 0) {
signal_log(cipher->global_context, SG_LOG_WARNING, "Message mac not verified");
result = SG_ERR_INVALID_MESSAGE;
}
else if(result < 0) {
signal_log(cipher->global_context, SG_LOG_WARNING, "Error attempting to verify message mac");
}
goto complete;
}
ciphertext_body = signal_message_get_body(ciphertext);
if(!ciphertext_body) {
signal_log(cipher->global_context, SG_LOG_WARNING, "Message body does not exist");
result = SG_ERR_INVALID_MESSAGE;
goto complete;
}
result = session_cipher_get_plaintext(cipher, &result_buf, message_version, &message_keys,
signal_buffer_data(ciphertext_body), signal_buffer_len(ciphertext_body));
if(result < 0) {
goto complete;
}
session_state_clear_unacknowledged_pre_key_message(state);
complete:
SIGNAL_UNREF(chain_key);
if(result >= 0) {
*plaintext = result_buf;
}
else {
signal_buffer_free(result_buf);
}
signal_explicit_bzero(&message_keys, sizeof(ratchet_message_keys));
return result;
}
int device_consistency_message_create_from_serialized(device_consistency_message **message,
device_consistency_commitment *commitment,
const uint8_t *serialized_data, size_t serialized_len,
ec_public_key *identity_key,
signal_context *global_context)
{
int result = 0;
device_consistency_message *result_message = 0;
Textsecure__DeviceConsistencyCodeMessage *message_structure = 0;
signal_buffer *commitment_buffer = 0;
signal_buffer *vrf_output_buffer = 0;
/* Create message instance */
result = device_consistency_message_create(&result_message);
if(result < 0) {
goto complete;
}
/* Deserialize the message */
message_structure = textsecure__device_consistency_code_message__unpack(0, serialized_len, serialized_data);
if(!message_structure) {
result = SG_ERR_INVALID_PROTO_BUF;
goto complete;
}
if(!message_structure->has_generation || !message_structure->has_signature) {
result = SG_ERR_INVALID_PROTO_BUF;
goto complete;
}
/* Verify VRF signature */
commitment_buffer = device_consistency_commitment_get_serialized(commitment);
result = curve_verify_vrf_signature(global_context, &vrf_output_buffer,
identity_key,
signal_buffer_data(commitment_buffer), signal_buffer_len(commitment_buffer),
message_structure->signature.data, message_structure->signature.len);
if(result < 0) {
goto complete;
}
/* Assign the message fields */
result_message->generation = message_structure->generation;
result = device_consistency_signature_create(&result_message->signature,
message_structure->signature.data, message_structure->signature.len,
signal_buffer_data(vrf_output_buffer), signal_buffer_len(vrf_output_buffer));
if(result < 0) {
goto complete;
}
result_message->serialized = signal_buffer_create(serialized_data, serialized_len);
if(!result_message->serialized) {
result = SG_ERR_NOMEM;
}
complete:
if(message_structure) {
textsecure__device_consistency_code_message__free_unpacked(message_structure, 0);
}
signal_buffer_free(vrf_output_buffer);
if(result >= 0) {
*message = result_message;
}
else {
SIGNAL_UNREF(result_message);
}
if(result == SG_ERR_INVALID_PROTO_BUF
|| result == SG_ERR_INVALID_KEY
|| result == SG_ERR_VRF_SIG_VERIF_FAILED) {
result = SG_ERR_INVALID_MESSAGE;
}
return result;
}
int ratcheting_session_calculate_derived_keys(ratchet_root_key **root_key, ratchet_chain_key **chain_key,
uint8_t *secret, size_t secret_len, signal_context *global_context)
{
int result = 0;
ssize_t result_size = 0;
hkdf_context *kdf = 0;
ratchet_root_key *root_key_result = 0;
ratchet_chain_key *chain_key_result = 0;
uint8_t *output = 0;
uint8_t salt[HASH_OUTPUT_SIZE];
static const char key_info[] = "WhisperText";
result = hkdf_create(&kdf, 3, global_context);
if(result < 0) {
goto complete;
}
memset(salt, 0, sizeof(salt));
result_size = hkdf_derive_secrets(kdf, &output,
secret, secret_len,
salt, sizeof(salt),
(uint8_t *)key_info, sizeof(key_info) - 1, 64);
if(result_size != 64) {
result = SG_ERR_UNKNOWN;
goto complete;
}
result = ratchet_root_key_create(&root_key_result, kdf, output, 32, global_context);
if(result < 0) {
goto complete;
}
result = ratchet_chain_key_create(&chain_key_result, kdf, output + 32, 32, 0, global_context);
if(result < 0) {
goto complete;
}
complete:
if(kdf) {
SIGNAL_UNREF(kdf);
}
if(output) {
free(output);
}
if(result < 0) {
if(root_key_result) {
SIGNAL_UNREF(root_key_result);
}
if(chain_key_result) {
SIGNAL_UNREF(chain_key_result);
}
}
else {
*root_key = root_key_result;
*chain_key = chain_key_result;
}
return result;
}
int displayable_fingerprint_create(displayable_fingerprint **displayable, const char *local_fingerprint, const char *remote_fingerprint)
{
int result = 0;
size_t local_len = 0;
size_t remote_len = 0;
displayable_fingerprint *result_displayable = 0;
char *display_text = 0;
if(!local_fingerprint || !remote_fingerprint) {
return SG_ERR_INVAL;
}
result_displayable = malloc(sizeof(displayable_fingerprint));
if(!result_displayable) {
return SG_ERR_NOMEM;
}
memset(result_displayable, 0, sizeof(displayable_fingerprint));
SIGNAL_INIT(result_displayable, displayable_fingerprint_destroy);
result_displayable->local_fingerprint = strdup(local_fingerprint);
if(!result_displayable->local_fingerprint) {
result = SG_ERR_NOMEM;
goto complete;
}
result_displayable->remote_fingerprint = strdup(remote_fingerprint);
if(!result_displayable->remote_fingerprint) {
result = SG_ERR_NOMEM;
goto complete;
}
local_len = strlen(local_fingerprint);
remote_len = strlen(remote_fingerprint);
display_text = malloc(local_len + remote_len + 1);
if(!display_text) {
result = SG_ERR_NOMEM;
goto complete;
}
if(strcmp(local_fingerprint, remote_fingerprint) <= 0) {
memcpy(display_text, local_fingerprint, local_len);
memcpy(display_text + local_len, remote_fingerprint, remote_len + 1);
}
else {
memcpy(display_text, remote_fingerprint, remote_len);
memcpy(display_text + remote_len, local_fingerprint, local_len + 1);
}
result_displayable->display_text = display_text;
complete:
if(result < 0) {
SIGNAL_UNREF(result_displayable);
}
else {
*displayable = result_displayable;
}
return result;
}
int session_cipher_decrypt_pre_key_signal_message(session_cipher *cipher,
pre_key_signal_message *ciphertext, void *decrypt_context,
signal_buffer **plaintext)
{
int result = 0;
signal_buffer *result_buf = 0;
session_record *record = 0;
int has_unsigned_pre_key_id = 0;
uint32_t unsigned_pre_key_id = 0;
assert(cipher);
signal_lock(cipher->global_context);
if(cipher->inside_callback == 1) {
result = SG_ERR_INVAL;
goto complete;
}
result = signal_protocol_session_load_session(cipher->store, &record, cipher->remote_address);
if(result < 0) {
goto complete;
}
result = session_builder_process_pre_key_signal_message(cipher->builder, record, ciphertext, &unsigned_pre_key_id);
if(result < 0) {
goto complete;
}
has_unsigned_pre_key_id = result;
result = session_cipher_decrypt_from_record_and_signal_message(cipher, record,
pre_key_signal_message_get_signal_message(ciphertext),
&result_buf);
if(result < 0) {
goto complete;
}
result = session_cipher_decrypt_callback(cipher, result_buf, decrypt_context);
if(result < 0) {
goto complete;
}
result = signal_protocol_session_store_session(cipher->store, cipher->remote_address, record);
if(result < 0) {
goto complete;
}
if(has_unsigned_pre_key_id) {
result = signal_protocol_pre_key_remove_key(cipher->store, unsigned_pre_key_id);
if(result < 0) {
goto complete;
}
}
complete:
SIGNAL_UNREF(record);
if(result >= 0) {
*plaintext = result_buf;
}
else {
signal_buffer_free(result_buf);
}
signal_unlock(cipher->global_context);
return result;
}
